Hvordan fjerne StoltBeskyttelse?

[Trond1981]

Hei,

sliter med popups av typen som melder om risikoer på PC'en og tilbud om gratis scan for å rette opp....

Jeg får det ikke vekk....

 

Kunne noe sett på loggen min??

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:23:49, on 26.06.2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\ASUS\ATK Media\DMedia.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\ASUS\ASUS Live Update\ALU.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\ASScrPro.exe

C:\Program Files\P4P\P4P.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\CyberLink\Shared files\brs.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Eset\nod32kui.exe

C:\Windows\System32\rundll32.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\CTPdeSrv.exe

C:\Windows\system32\conime.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEUser.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\explorer.exe

C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe

C:\RogueRemover FREE\RogueRemover.exe

C:\Users\Trond\Desktop\Hijack this\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe

O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe

O4 - HKLM\..\Run: [PowerForPhone] "C:\Program Files\P4P\P4P.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\khfFWqqp.dll,#1

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Trond\AppData\Local\Temp\awttrSKb.dll,c

O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Trond\AppData\Local\Temp\ljjKeCut.dll,#1

O4 - HKCU\..\Run: [fa49ba5b] rundll32.exe "C:\Users\Trond\AppData\Local\Temp\ptbcacrk.dll",b

O4 - HKCU\..\Run: [bMf97a89c7] Rundll32.exe "C:\Users\Trond\AppData\Local\Temp\lgtgckkt.dll",s

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe

O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkCSrv.exe

 

--

End of file - 9361 bytes

[norbat]

Heisann,

 

Punkt 1:

Se om du får avinstallert StoltBeskyttelse fra legg til/fjern programmer

 

Punkt 2:

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\khfFWqqp.dll,#1

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Trond\AppData\Local\Temp\awttrSKb.dll,c

O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Trond\AppData\Local\Temp\ljjKeCut.dll,#1

O4 - HKCU\..\Run: [fa49ba5b] rundll32.exe "C:\Users\Trond\AppData\Local\Temp\ptbcacrk.dll",b

O4 - HKCU\..\Run: [bMf97a89c7] Rundll32.exe "C:\Users\Trond\AppData\Local\Temp\lgtgckkt.dll",s

 

Punkt 3:

Last ned CCleaner.

Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "Bare slett midlertidige filer som er eldre enn 48 timer" Klikk på 'Renser' og deretter 'Kjør CCleaner'.

 

 

Punkt 4:

Last ned gratisversjonen til SAS, installer, oppdater og kjør en full scan. Programmet vil be om å restarte pc'n. Det lar du det gjøre.

 

Punkt 5:

Post ny hjt-logg + loggen fra SAS (preferences->statistics/logs)

[Trond1981]

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 06/26/2008 at 08:59 PM

 

Application Version : 4.15.1000

 

Core Rules Database Version : 3491

Trace Rules Database Version: 1482

 

Scan type : Complete Scan

Total Scan Time : 00:45:40

 

Memory items scanned : 441

Memory threats detected : 1

Registry items scanned : 6584

Registry threats detected : 8

File items scanned : 36013

File threats detected : 44

 

Trojan.Vundo-Variant/Small

C:\USERS\TROND\APPDATA\LOCAL\TEMP\AWTTRSKB.DLL

C:\USERS\TROND\APPDATA\LOCAL\TEMP\AWTTRSKB.DLL

 

Trojan.Vundo-Variant/Small-GEN

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{018B27FF-E05F-4CB5-8763-540CB3FD457A}

HKCR\CLSID\{018B27FF-E05F-4CB5-8763-540CB3FD457A}

HKCR\CLSID\{018B27FF-E05F-4CB5-8763-540CB3FD457A}\InprocServer32

HKCR\CLSID\{018B27FF-E05F-4CB5-8763-540CB3FD457A}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\KHFFWQQP.DLL

C:\WINDOWS\SYSTEM32\LJJBTRQP.DLL

C:\WINDOWS\SYSTEM32\WVUOPHEX.DLL

 

Adware.Vundo Variant/Rel

HKU\S-1-5-21-3073573128-86556096-3548839145-1000\Software\Microsoft\Windows\CurrentVersion\Run#MSServer [ rundll32.exe C:\Users\Trond\AppData\Local\Temp\ljjKeCut.dll,#1 ]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run#MSServer [ rundll32.exe C:\Windows\system32\khfFWqqp.dll,#1 ]

HKU\S-1-5-21-3073573128-86556096-3548839145-1000\Software\Microsoft\Windows\CurrentVersion\Run#cmds [ rundll32.exe C:\Users\Trond\AppData\Local\Temp\awttrSKb.dll,c ]

HKU\S-1-5-21-3073573128-86556096-3548839145-1000\Software\Microsoft\rdfa

 

Adware.Tracking Cookie

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@2o7[1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@adtech[1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@advertising[2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@atdmt[2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@bravenet[1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@doubleclick[2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@hitbox[2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@imrworldwide[1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@indexstats[2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@indextools[2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@mediaplex[1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@overture[1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@serving-sys[1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][2].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][1].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jø[email protected][3].txt

C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft\Windows\Cookies\Low\heidi_s._jørmeland@xiti[1].txt

C:\Users\Trond\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt

C:\Users\Trond\AppData\Roaming\Microsoft\Windows\Cookies\Low\trond@clickbank[1].txt

 

 

 

ComboFix 08-06-20.4 - Trond 2008-06-26 21:13:45.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1044.18.1202 [GMT 2:00]

Running from: C:\Users\Trond\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\p4p

C:\Program Files\p4p\Bookmark.ini

C:\Program Files\p4p\P4P.exe

C:\Program Files\p4p\RING.WAV

 

.

((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))

.

 

2008-06-26 20:11 . 2008-06-26 20:11 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com

2008-06-26 20:10 . 2008-06-26 20:10 <DIR> d-------- C:\Users\Trond\AppData\Roaming\SUPERAntiSpyware.com

2008-06-26 20:09 . 2008-06-26 20:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-06-26 19:01 . 2008-06-26 19:03 <DIR> d-------- C:\fixwareout

2008-06-26 18:58 . 2008-06-26 19:02 <DIR> d-------- C:\RogueRemover FREE

2008-06-26 15:59 . 2008-03-08 02:37 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-06-26 15:59 . 2008-03-08 06:30 1,686,528 --a------ C:\Windows\System32\gameux.dll

2008-06-26 15:59 . 2008-04-29 03:42 220,160 --a------ C:\Windows\System32\drivers\bthport.sys

2008-06-26 15:59 . 2008-04-29 05:50 181,760 --a------ C:\Windows\System32\fsquirt.exe

2008-06-26 15:59 . 2008-05-10 03:21 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys

2008-06-26 15:59 . 2008-04-29 03:42 29,184 --a------ C:\Windows\System32\drivers\BTHUSB.SYS

2008-06-26 15:59 . 2008-04-29 03:42 19,456 --a------ C:\Windows\System32\drivers\bthenum.sys

2008-06-26 15:59 . 2008-05-10 05:30 14,848 --a------ C:\Windows\System32\wshrm.dll

2008-06-26 15:58 . 2008-04-26 10:02 1,327,104 --a------ C:\Windows\System32\quartz.dll

2008-06-26 15:58 . 2008-04-23 06:27 1,244,672 --a------ C:\Windows\System32\mcmde.dll

2008-06-26 15:58 . 2008-04-23 06:27 428,032 --a------ C:\Windows\System32\EncDec.dll

2008-06-26 15:58 . 2008-04-23 06:27 292,352 --a------ C:\Windows\System32\psisdecd.dll

2008-06-26 15:58 . 2008-04-23 06:26 218,624 --a------ C:\Windows\System32\psisrndr.ax

2008-06-26 15:58 . 2008-04-23 06:26 80,896 --a------ C:\Windows\System32\MSNP.ax

2008-06-26 15:58 . 2008-04-23 06:26 68,608 --a------ C:\Windows\System32\Mpeg2Data.ax

2008-06-26 15:58 . 2008-04-23 06:26 57,856 --a------ C:\Windows\System32\MSDvbNP.ax

2008-06-25 22:41 . 2008-06-25 22:39 512,096 --a------ C:\Windows\System32\drivers\amon.sys

2008-06-25 22:41 . 2008-06-25 22:39 298,104 --a------ C:\Windows\System32\imon.dll

2008-06-25 22:41 . 2008-06-25 22:39 15,424 --a------ C:\Windows\System32\drivers\nod32drv.sys

2008-06-25 22:39 . 2008-06-26 21:13 <DIR> d-------- C:\Program Files\ESET

2008-06-25 22:28 . 2008-06-25 22:28 26,112 --a------ C:\Windows\System32\wvUoPhEX.dll

2008-06-25 22:23 . 2008-06-25 22:23 26,112 --a------ C:\Windows\System32\ljJBtrqP.dll

2008-06-25 22:22 . 2008-06-25 22:22 26,112 --a------ C:\Windows\System32\khfFWqqp.dll

2008-06-02 16:41 . 2008-06-02 16:41 <DIR> d-------- C:\Users\Trond\AppData\Roaming\Ahead

2008-06-02 16:41 . 2008-06-02 16:41 <DIR> d-------- C:\ProgramData\LightScribe

2008-05-30 22:33 . 2008-05-30 22:33 <DIR> d-------- C:\Users\Trond\AppData\Roaming\CyberLink

2008-05-30 22:33 . 2008-05-30 22:33 <DIR> d-------- C:\Users\Public\CyberLink

2008-05-30 22:31 . 2008-05-30 22:42 <DIR> d-------- C:\ProgramData\CyberLink

2008-05-30 22:26 . 2008-05-30 22:30 <DIR> d-------- C:\Program Files\CyberLink

2008-05-27 20:49 . 2008-05-29 22:35 <DIR> d-------- C:\Users\Trond\AppData\Roaming\dvdcss

2008-05-27 20:25 . 2008-05-27 20:25 <DIR> d-------- C:\Program Files\Smart Projects

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-26 19:13 1,048,576 --sha-w C:\Users\Heidi S. Jørmeland\NTUSER.DAT

2008-06-26 19:13 1,048,576 --sha-w C:\Users\Heidi S. Jørmeland\NTUSER.DAT

2008-06-26 14:13 --------- d-----w C:\Program Files\Windows Mail

2008-06-26 14:12 --------- d-----w C:\Users\Trond\AppData\Roaming\uTorrent

2008-06-25 21:40 --------- d-----w C:\ProgramData\Symantec

2008-06-25 21:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-06-25 21:38 --------- d-----w C:\Program Files\Symantec

2008-06-25 20:26 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-06-12 17:12 --------- d-s---w C:\Users\Heidi S. Jørmeland\AppData\Roaming\Microsoft

2008-05-24 11:00 --------- d-----w C:\Program Files\uTorrent

2008-05-11 20:01 --------- d-----w C:\Program Files\Network Stumbler

2008-05-09 17:36 --------- d-----w C:\ProgramData\Media Center Programs

2008-05-09 17:18 --------- d-----w C:\Users\Trond\AppData\Roaming\InstallShield

2008-05-09 06:56 --------- d-----w C:\Users\Heidi S. Jørmeland\AppData\Roaming\Adobe

2008-05-07 07:55 767,488 ----a-w C:\Windows\system32\drivers\athr.sys

2008-05-05 17:33 --------- d-----w C:\Users\Heidi S. Jørmeland\AppData\Roaming\Google

2008-05-01 20:51 --------- d-----w C:\Users\Heidi S. Jørmeland\AppData\Roaming\Macromedia

2008-05-01 20:51 --------- d-----w C:\Users\Heidi S. Jørmeland\AppData\Roaming\ATI

2008-05-01 20:50 --------- d-----w C:\Users\Heidi S. Jørmeland\AppData\Roaming\Identities

2008-05-01 09:37 --------- d-----w C:\Program Files\QuickTime

2008-05-01 09:36 --------- d-----w C:\ProgramData\Apple Computer

2008-05-01 09:35 --------- d-----w C:\ProgramData\Apple

2008-05-01 09:35 --------- d-----w C:\Program Files\Apple Software Update

2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-02-16 01:22 174 --sha-w C:\Program Files\desktop.ini

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]

@={A8D448F4-0431-45AC-9F5E-E1B434AB2249}

 

[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]

2007-06-02 03:08 143360 --a------ C:\Program Files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-17 22:05 1232896]

"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 13:49 451872]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]

"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 12:03 868352]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

"SUPERAntiSpyware"="C:\Users\Trond\Desktop\SAS\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 22:35 90112]

"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 11:07 4390912 C:\Windows\RtHDVCpl.exe]

"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 11:31 630784]

"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 18:27 61440]

"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2006-10-30 14:44 36864]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 15:24 857648]

"ASUS Camera ScreenSaver"="C:\Windows\ASScrProlog.exe" [2008-02-16 04:09 37232]

"ASUS Screen Saver Protector"="C:\Windows\ASScrPro.exe" [2008-02-16 04:09 33136]

"PowerForPhone"="C:\Program Files\P4P\P4P.exe" [ ]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]

"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]

"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2007-11-17 02:20 91432]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-06-25 22:39 949376]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{018B27FF-E05F-4CB5-8763-540CB3FD457A}"= C:\Windows\system32\khfFWqqp.dll [2008-06-25 22:22 26112]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Users\Trond\Desktop\SAS\SASSEH.DLL [2008-05-13 10:13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Users\Trond\Desktop\SAS\SASWINLO.dll 2007-04-19 13:41 294912 C:\Users\Trond\Desktop\SAS\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UacDisableNotify"=dword:00000001

"InternetSettingsDisableNotify"=dword:00000001

"AutoUpdateDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{AA3B368C-C902-453B-BD81-FCC7B16080B7}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{31CEDD73-6FA0-47CA-8952-6183976A2A8B}"= UDP:D:\Spill\Football Manager 2008\fm.exe:Football Manager 2008

"{A40AF06C-CF1D-43C5-BCA0-1D961779A8FF}"= TCP:D:\Spill\Football Manager 2008\fm.exe:Football Manager 2008

"{9A204CC5-1795-4198-AADC-88B4DB8D9C22}"= UDP:D:\Spill\World in Conflict\wic.exe:World in Conflict

"{E75CB35E-9473-4C11-A3CA-972371756427}"= TCP:D:\Spill\World in Conflict\wic.exe:World in Conflict

"{7A7E409F-C55A-46C6-A2D7-0B8C35C48CAE}"= UDP:D:\Spill\World in Conflict\wic_online.exe:World in Conflict - Online Only

"{7BF9DF3C-4D5B-4026-BA94-B6BFA9EA76EA}"= TCP:D:\Spill\World in Conflict\wic_online.exe:World in Conflict - Online Only

"{4AEF8B10-F666-4621-86A0-07E093B8A845}"= UDP:D:\Spill\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server

"{362D3BCF-9AA7-44BE-BF0B-EA2F8BB6B5BC}"= TCP:D:\Spill\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server

"{3AA676A2-DC4E-4461-970F-7A48CC5B3E61}"= C:\Program Files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD

"TCP Query User{CE4243F4-C43A-4EB4-A6F9-4D3D85BB3384}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent

"UDP Query User{9EF18E40-FEFD-4564-8025-1C03814CA74F}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

 

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\Windows\system32\drivers\sfdrv01a.sys [2006-07-05 14:46]

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-30 12:28]

R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;C:\Windows\System32\StkCSrv.exe [2007-02-07 12:44]

R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-04 17:01]

R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys [2006-11-25 01:38]

R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;C:\Windows\system32\Drivers\StkCMini.sys [2007-02-13 06:41]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32d4d8f7-f2b5-11dc-b7df-001bfcefded0}]

\shell\AutoRun\command - wd_windows_tools\setup.exe

 

*Newly Created Service* - CATCHME

*Newly Created Service* - SASENUM

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-26 21:33:13

Windows 6.0.6000 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

C:\ADSM_PData_0150

 

scan completed successfully

hidden files: 1

 

**************************************************************************

.

Completion time: 2008-06-26 21:34:45

ComboFix-quarantined-files.txt 2008-06-26 19:34:42

 

Pre-Run: 109,102,891,008 byte ledig

Post-Run: 108,169,351,168 byte ledig

 

176 --- E O F --- 2008-06-26 14:09:57

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:40:07, on 26.06.2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\ASUS\ATK Media\DMedia.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\ASScrPro.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\CyberLink\Shared files\brs.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Users\Trond\Desktop\SAS\SUPERAntiSpyware.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Windows\system32\CTPdeSrv.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\Explorer.exe

C:\Users\Trond\Desktop\Hijack this\test.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe

O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe

O4 - HKLM\..\Run: [PowerForPhone] "C:\Program Files\P4P\P4P.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Users\Trond\Desktop\SAS\SUPERAntiSpyware.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Users\Trond\Desktop\SAS\SASWINLO.dll

O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe

O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkCSrv.exe

 

--

End of file - 7798 bytes

 

 

 

 

HVA GJØR JEG NÅ????

[Trond1981]

Har ikke installert StoltBeskyttelse selv iallefall, og finner den ikke i listen over installerte programmer heller.....

[norbat]

StolBeskyttelse har en tendens til å installere seg selv

 

Litt opprydding:

 

Punkt 1:

Fjern rester etter Norton. Bruk Norton Removal Tool

 

Punkt 2:

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

File::

C:\Windows\System32\wvUoPhEX.dll

C:\Windows\System32\ljJBtrqP.dll

C:\Windows\System32\khfFWqqp.dll

 

Registry::

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{018B27FF-E05F-4CB5-8763-540CB3FD457A}"=-

 

Punkt 3:

Last ned MBAM til skrivebordet.

Kjør fila og installer programmet. Velg Norsk språkdrakt

La programmet oppdatere seg og velg å kjør en hurtig systemskann.

 

Du får en meldingsboks når programmet er ferdigkjørt

Klikk deretter på Vis resultat-knappen. Hvis det er funnet malware, vil du nå se hva som er funnet.

 

Klikk så på Fjern valgt -knappen for å fjerne malwaren som evt. ble funnet.

 

Når MBAM er ferdig med å fjerne det den har funnet, vil det bli åpnet en logg i notisblokk. Den loggen kan du poste om den finner noe.

 

Fortell også hvordan det går med StoltBeskyttelse popups

[Trond1981]

Malwarebytes' Anti-Malware 1.18

Database versjon: 894

 

23:45:44 26.06.2008

mbam-log-6-26-2008 (23-45-44).txt

 

Skann type: Rask Skann

Objekter skannet: 38450

Tid tilbakelagt: 3 minute(s), 23 second(s)

 

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

 

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

 

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

 

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

 

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

 

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

 

Mapper infisert:

(Ingen mistenkelige filer funnet)

 

Filer infisert:

(Ingen mistenkelige filer funnet)

 

 

 

NÅ VIRKER ALT TIL Å VÆRE "BACK TO NORMAL"!!!!

TUSEN TAKK FOR HJELPEN!!!!

[norbat]

Da kan du fjerne combofix.

Skriv combofix /u i kjør-feltet. Dette fjerner programmet + nullstiller systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

 

SAS og MBAM fjernes fra legg til/fjern programmer hvis du ikke ønsker å beholde de/det.

 

Surf trygt!